tcp: mitigate ACK loops for connections as tcp_request_sock
authorNeal Cardwell <ncardwell@google.com>
Fri, 6 Feb 2015 21:04:39 +0000 (16:04 -0500)
committerDavid S. Miller <davem@davemloft.net>
Sun, 8 Feb 2015 09:03:12 +0000 (01:03 -0800)
In the SYN_RECV state, where the TCP connection is represented by
tcp_request_sock, we now rate-limit SYNACKs in response to a client's
retransmitted SYNs: we do not send a SYNACK in response to client SYN
if it has been less than sysctl_tcp_invalid_ratelimit (default 500ms)
since we last sent a SYNACK in response to a client's retransmitted
SYN.

This allows the vast majority of legitimate client connections to
proceed unimpeded, even for the most aggressive platforms, iOS and
MacOS, which actually retransmit SYNs 1-second intervals for several
times in a row. They use SYN RTO timeouts following the progression:
1,1,1,1,1,2,4,8,16,32.

Reported-by: Avery Fay <avery@mixpanel.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/tcp.h
include/net/tcp.h
net/ipv4/tcp_minisocks.c

index 67309ece0772b9a28e054af553c9aabd76021699..bcc828d3b9b965188e299d2af02c6333b4bcd9d1 100644 (file)
@@ -115,6 +115,7 @@ struct tcp_request_sock {
        u32                             rcv_isn;
        u32                             snt_isn;
        u32                             snt_synack; /* synack sent time */
+       u32                             last_oow_ack_time; /* last SYNACK */
        u32                             rcv_nxt; /* the ack # by SYNACK. For
                                                  * FastOpen it's the seq#
                                                  * after data-in-SYN.
index b81f45c67b2e25505f7e71d9f081af0edab2f5a5..da4196fb78dbf39c12a421332bc0405948fc26c9 100644 (file)
@@ -1145,6 +1145,7 @@ static inline void tcp_openreq_init(struct request_sock *req,
        tcp_rsk(req)->rcv_isn = TCP_SKB_CB(skb)->seq;
        tcp_rsk(req)->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;
        tcp_rsk(req)->snt_synack = tcp_time_stamp;
+       tcp_rsk(req)->last_oow_ack_time = 0;
        req->mss = rx_opt->mss_clamp;
        req->ts_recent = rx_opt->saw_tstamp ? rx_opt->rcv_tsval : 0;
        ireq->tstamp_ok = rx_opt->tstamp_ok;
index bc9216dc9de18f722e8f502630cead46ac75115b..131aa4950d1c2377bb738b35968758251c36ce29 100644 (file)
@@ -605,7 +605,11 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
                 * Reset timer after retransmitting SYNACK, similar to
                 * the idea of fast retransmit in recovery.
                 */
-               if (!inet_rtx_syn_ack(sk, req))
+               if (!tcp_oow_rate_limited(sock_net(sk), skb,
+                                         LINUX_MIB_TCPACKSKIPPEDSYNRECV,
+                                         &tcp_rsk(req)->last_oow_ack_time) &&
+
+                   !inet_rtx_syn_ack(sk, req))
                        req->expires = min(TCP_TIMEOUT_INIT << req->num_timeout,
                                           TCP_RTO_MAX) + jiffies;
                return NULL;